ESXi Loghost Configuration Tampering
Attackers modify the ESXi host's syslog configuration to disrupt log forwarding, potentially evading detection and hindering incident response efforts after a compromise.
This threat focuses on the malicious modification of syslog configurations on VMware ESXi hosts. An attacker with sufficient privileges changes the designated log host or directory settings. This action is designed to prevent security logs from reaching the intended security monitoring systems, effectively blinding defenders. This activity would typically occur post-compromise, as the attacker would need existing access to the ESXi host. Successful tampering allows attackers to operate with less risk of detection. This is especially relevant in environments targeted by ransomware groups like Black Basta.
Attack Chain
- The attacker gains unauthorized access to the ESXi host, potentially through exploiting vulnerabilities or compromised credentials.
- The attacker elevates privileges to enable modification of system configurations.
- The attacker executes commands to modify the Syslog.global.logHost setting, redirecting logs to a malicious server or disabling logging entirely. This is done by setting a new value for Syslog.global.logHost using the
esxclicommand or direct configuration file manipulation. - Alternatively, the attacker modifies the Syslog.global.logdir setting, changing the directory where logs are stored, potentially making them inaccessible to legitimate monitoring tools.
- The ESXi host processes the configuration change, and the syslog daemon starts forwarding logs (or not forwarding them) based on the new settings.
- The attacker performs malicious activities on the compromised ESXi host, knowing that their actions are less likely to be detected due to the disabled or redirected logging.
- The attacker attempts to remove or obfuscate evidence of the configuration changes to further evade detection.
- The attacker proceeds with their objectives such as data exfiltration, lateral movement, or ransomware deployment, leveraging the reduced visibility.
Impact
Successful modification of the ESXi loghost configuration can severely impair an organization's ability to detect and respond to security incidents. With critical logs no longer being forwarded to central monitoring systems, malicious activity on the ESXi host goes unnoticed. This can lead to delayed incident response, increased dwell time for attackers, and greater damage from attacks such as ransomware. This is particularly impactful for organizations relying on ESXi for critical infrastructure.
Recommendation
- Deploy the Sigma rule "ESXi Loghost Config Tampering Detection" to your SIEM to identify changes to the syslog loghost configuration (esxi_syslog).
- Enable and monitor VMware ESXi Syslog to ensure proper log forwarding to a secure central log repository (VMWare ESXi Syslog).
- Investigate any alerts generated by the Sigma rule, focusing on the source ESXi host ("dest" field in the Sigma rule) and the user account that made the changes.
- Regularly audit ESXi host configurations to verify the integrity of syslog settings and detect unauthorized modifications.
- Implement strong access control measures to restrict who can modify ESXi host configurations.
Detection coverage 2
ESXi Loghost Config Tampering Detection
highDetects changes to the Syslog.global.logHost or Syslog.global.logdir configuration on an ESXi host, which may indicate an attempt to disrupt log forwarding.
ESXi Loghost Config Tampering - IP Address Modification
highDetects changes to the Syslog.global.logHost configuration on an ESXi host specifically looking for IP address changes.
Detection queries are available on the platform. Get full rules →